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DETAILED ACTION 
Response to Amendment 

1. This action is in response to the amendment filed 4/10/07. 

Response to Arguments 

2. Applicant's arguments filed 4/10/07 have been fully considered but 
they are not persuasive. 

Applicant argues that Mishra does not teach the use of an aggregator 
token (see Remark, page 10, 3 rd paragraph), wherein (i) the aggregator 
token is generated and sent to a client after its user has been successfully 
authenticated during a single-sign-on operation that is provided by the ASP 
aggregator service; (ii) the aggregator token then accompanies any request 
from the client to aggregated applications within the ASP aggregator 
service's infrastructure; and (iii) in various embodiments of the invention, 
the aggregator token comprises an indication of an address or resource 
identifier within the ASP aggregator service to which a client/user can be 
redirected when the client/user needs to be authenticated by the ASP 
aggregator service (see Remark, page 10, 2 nd paragraph). 

Mishra et al ("Security Services Markup Language") discloses that an 
aggregator token, i.e., a name assertion, is generated and sent to a client as 
part of an authentication response message after its user has been 
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successfully authenticated during a single-sign-on operation that is provided 
by the ASP aggregator service (page 4, definition of Name Assertion; pages 
7-8, Section 3.1, Scenario #1: User-Driven Transactions (Single Sign-On); 
page 16, AuthResponse message). 

Mishra also discloses that the aggregator token then accompanies a 
request from the client to an aggregated application within the ASP 
aggregator service's infrastructure, i.e., the name assertion is included in 
the user's request to access site B (pages 7-8, Section 3.1, Scenario #1: 
User-Driven Transactions (Single Sign-On)). 

With respect to independent claims 1, 16 and 31, Mishra further 
discloses that the aggregator token comprises a logon resource identifier, 
i.e., the URI of the authentication engine which authenticates the user and 
issues aggregator token (page 12 and 16, see the <Issuer> tag within the 
<NameAssertion> of the authentication response from the authentication 
engine). 

With respect to other independent claims, whereas Mishra discloses 
using the logon resource identifier to request the logon resource for further 
information regarding the authenticated user (page 8), Mishra does not 
disclose using the logon resource identifier for the purpose of redirecting 
users who need to be authenticated; however, this feature is taught by 
Gupta et al (6,226,752). 
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Claim Rejections - 35 USC §102 

(a) the invention was known or used by others in this country, or patented or described in a 
printed publication in this or a foreign country, before the invention thereof by the applicant 
for a patent. 

3. Claims 1, 3, 16, 18 and 31 are rejected under 35 U.S.C. 102(a) as 
being anticipated by Mishra et al ("Security Services Markup Language"). 
Mishra discloses a method comprising receiving from a client a request to 
access a resource protected by an application service provider (ASP) 
aggregator service, wherein the ASP aggregator service provides single sign- 
on functionality for a plurality of net-sourced applications, wherein at least 
one of the net-sourced applications is hosted by an ASP; in response to a 
determination that the client or a user of the client has not been properly 
authenticated by the ASP aggregator service for a current client session, 
requiring the client or the user of the client to successfully complete an 
authentication process (Section 3.1, Scenario #1: User-Driven Transactions 
(Single Sign-On)); and sending to the client a response to the request 
received from the client, wherein the response is accompanied by an 
aggregator token, wherein the aggregator token comprises the URL of an 
authentication engine that provides logon service (Section 3.1, Scenario #1: 
User-Driven Transactions (Single Sign-On); Section 4. 3, Authentication 
(Auth) and Authorization (Az) Services, pages 15-16; figure on page 29). 
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Claim Rejections - 35 USC §103 

4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis 
for all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject 
matter sought to be patented and the prior art are such that the subject matter as a 
whole would have been obvious at the time the invention was made to a person having 
ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

5. Claims 2, 4-5, 17, 19-20 and 32-34 are rejected under 35 

U.S.C. 103(a) as being unpatentable over Mishra as applied to claims 1, 16 
and 31 above, and further in view of Gupta et al (6,226,752). 

Regarding claims 2, 4, 17, 19 and 32-33, Mishra does not disclose that 
the URL is that of a logon Web page. Gupta discloses a method for providing 
single sign-on service utilizing the URL of a login server as a redirection 
address and the login server is configured such that a login Web page is the 
default Web page for that URL (col. 12, lines 13-41). It would have been 
obvious to one of ordinary skill in the art at the time the invention was made 
to modify the Mishra method such that the URL of the login service is also 
the URL of a login Web page for redirection purpose, as taught by Gupta. 
The motivation for doing so would have been to facilitate user's login process 
since the browser automatically handles redirection without any interaction 
from the user. 
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Regarding claims 5, 20 and 34, Mishra discloses that an application 
service provider (ASP) receives a request for service accompanied with an 
aggregator token from a client and the ASP determines whether the user of 
the client has been properly authenticated (Section 4.4, Assertion Validity). 
However, Mishra does not teach what the ASP does if is determined that the 
user has not been properly authenticated. Gupta discloses a method for 
accessing resource at an ASP protected by a login server providing ASP 
aggregator service. In particular, Gupta discloses that if the ASP determines 
that a user has not been properly authenticated, the ASP will send to the 
client a response indicating a URL of a login Web page at the login server as 
a redirect destination so that the user can be authenticated, and, upon 
successful authentication, the login server redirects the user's request 
accompanied by an aggregator token to the ASP (Abstract; col. 7, lines 1- 
15; fig. 3 and corresponding text). It would have been obvious to one of 
ordinary skill in the art at the time the invention was made to modify the 
Mishra method such that if the ASP determines that a user has not been 
properly authenticated, the ASP will send to the client a response indicating 
a URL of a login Web page at the login server as a redirect destination so 
that the user can be authenticated, and, upon successful authentication, the 
login server redirects the user's request accompanied by an aggregator 
token to the ASP, as taught by Gupta. The motivation for doing so would 
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have been that the process does not require any interaction from the user 
(col. 7, lines 19-23). Since the ASP needs the URL of the authentication 
engine that performs the login service to redirect the user's request and 
there are more than one authentication engine (figure on page 8), it would 
be obvious by the combination of Mishra and Gupta above for the ASP to 
extract the URL from the token so that the ASP knows which authentication 
engine the user's request should be redirected to. 

6. Claims 6-8, 10-15, 21-23, 25-30 and 35-38 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Mishra in view of Gupta. 

Regarding claims 6-7, 11, 13-14, 21-22, 26, 28-29, 35-36 and 38, 
Mishra discloses that an ASP receives a request for service accompanied with 
an aggregator token from a client, the aggregator token being originated 
from an ASP aggregator service that provides single-sign-on functionality for 
a plurality of net-sourced applications, wherein at least one of the net- 
sourced applications is the net-sourced application hosted by the ASP 
(Section 3.1, Scenario #1: User-Driven Transactions (Single Sign-On); 
Section 4. 3, Authentication (Auth) and Authorization (Az) Services, pages 
15-16). Mishra also discloses that the aggregator token comprises the URL 
of an authentication engine that provides logon service to a user (Section 
3.1, Scenario #1: User-Driven Transactions (Single Sign-On); Section 4. 3, 
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Authentication (Auth) and Authorization (Az) Services, pages 15-16). Mishra 
further discloses that the ASP determines whether the user of the client has 
been properly authenticated (Section 4.4, Assertion Validity). However, 
Mishra does not teach what the ASP and the ASP aggregator service do if it 
is determined that the user has not been properly authenticated. Gupta 
discloses a method for accessing resource at an ASP protected by a login 
server providing ASP aggregator service. In particular, Gupta discloses that 
if the ASP determines that a user has not been properly authenticated, the 
ASP will send to the client a response indicating a URL of a login Web page 
at the login server as a redirect destination. Gupta also discloses that the 
login server receives the redirect request, requires the user to successfully 
complete an authentication process, extracts the identifier of the ASP from 
the redirect request and sends a response to the client indicating the 
identifier of the ASP as a redirect destination (Abstract; col. 7, lines 1-15; 
fig. 3 and corresponding text). It would have been obvious to one of 
ordinary skill in the art at the time the invention was made to modify the 
Mishra method such that if the ASP determines that a user has not been 
properly authenticated, the ASP sends to the client a response indicating a 
URL of a login Web page at the login server as a redirect destination and the 
login server receives the redirect request, requires the user to successfully 
complete an authentication process, extracts the identifier of the ASP from 
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the redirect request and sends a response to the client indicating the 
identifier of the ASP as a redirect destination, as taught by Gupta. The 
motivation for doing so would have been that the process does not require 
any interaction from the user (col. 7, lines 19-23). Since the ASP needs the 
URL of the authentication engine that performs the login service to redirect 
the user's request and there are more than one authentication engine (figure 
on page 8), it would be obvious by the combination of Mishra and Gupta 
above for the ASP to extract the URL from the token so that the ASP knows 
which authentication engine the user's request should be redirected to. 

Regarding claims 8, 23 and 37, Mishra further discloses that the ASP 
determines the validity of the token (Section 4.4, Assertion Validity). 

Regarding claims 10, 12, 15, 25, 27 and 30, Mishra does not disclose 
that the URL is that of a logon Web page. Gupta discloses a method for 
providing single sign-on service utilizing the URL of a login server as a 
redirection address and the login server is configured such that a login Web 
page is the default Web page for that URL (col. 12, lines 13-41). It would 
have been obvious to one of ordinary skill in the art at the time the invention 
was made to modify the Mishra method such that the URL of the login 
service is also the URL of a login Web page, as taught by Gupta. The 
motivation for doing so would have been to facilitate user's login process 
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when the login server is configured with the username and password 
mechanism. 

7. Claims 9 and 24 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Mishra in view of Gupta as applied to claims 6 and 21 
above, and further in view of McCarty et al (US Pub. No. 2002/0029269). 
Mishra does not disclose that access to the resource is controlled by the ASP 
on a subscription basis. McCarty discloses a method for accessing resource 
at an ASP using ASP aggregator service, the resource being controlled by the 
ASP on a subscription basis (paragraphs 0015-0016, 0055, 0067-0068). It 
would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the combined method of Mishra and Gupta 
such that access to the resource is controlled by the ASP on a subscription 
basis, as taught by McCarty. The motivation for doing so would have been 
to present a seamless user interface as a user accesses different web-based 
external systems, while maintaining the independence of the external 
systems (paragraph 0012). 

Conclusion 

8. The prior art made of record and not relied upon is considered 
pertinent to applicant's disclosure. 



Application/Control Number: 09/965,736 Page 11 

Art Unit: 2132 

U.S. Patent No. 7,137,006 to Grandcolas et al. 

U.S. Patent No. 7,174,383 to Biswas et al. 

U.S. Patent No. 7,231,661 to Villavicencio et al. 

Samar, "Single Sign-On Using Cookies for Web Applications" 

9. THIS ACTION IS MADE FINAL. Applicant is reminded of the 
extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to 
expire THREE MONTHS from the mailing date of this action. In the event a 
first reply is filed within TWO MONTHS of the mailing date of this final action 
and the advisory action is not mailed until after the end of the THREE- 
MONTH shortened statutory period, then the shortened statutory period will 
expire on the date the advisory action is mailed, and any extension fee 
pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the 
advisory action. In no event, however, will the statutory period for reply 
expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications 
from the examiner should be directed to Minh Dinh whose telephone number 
is 571-272-3802. The examiner can normally be reached on Mon-Fri: 
10:00am-6:30pm. 
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If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Gilberto Barron can be reached on 571-272-3799. 
The fax phone number for the organization where this application or 
proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained 
from the Patent Application Information Retrieval (PAIR) system. Status 
information for published applications may be obtained from either Private 
PAIR or Public PAIR. Status information for unpublished applications is 
available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on 
access to the Private PAIR system, contact the Electronic Business Center 
(EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272- 
1000. 



/MD/ 
Minh Dinh 
Examiner 
Art Unit 2132 
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